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In  this  paper,  an  identity-based  key  agreement  system  and  its  implementation  for  mobile  telephony  in  GSM  and 
UMTS  networks  is  presented.  The  use  of  telephone  numbers  as  public  keys  allows  the  system  to  piggyback  much  of  the 
security  overhead  for  key  management  to  the  existing  GSM  or  UMTS  infrastructure.  The  proposed  approach  offers 
solutions  to  the  problems  of  multi -domain  key  generation,  key  distribution,  multi -domain  public  parameter  distribution  and 
inter-domain  key  agreement.  The  feasibility  of  the  approach  is  illustrated  by  presenting  experimental  results  based  on 
smartphones.  While  it  is  possible  to  implement  end-to-end  encryption  of  mobile  phone  calls  based  on  a  Public  Key 
Infrastructure  (PKI),  the  complexity  of  setting  up  and  using  a  PKI  is  prohibitive,  especially  since  many  users  of  mobile 
phones  are  not  well  versed  in  cryptographic  procedures  and  are  quickly  overwhelmed  when  confronted  with  public  and 
private  keys,  certificates,  signatures  and  revocation  lists. 
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1.  INTRODUCTION 

In  mobile  phone  networks,  eavesdropping  on  a  call  is  easy,  even  for  non-governmental  forces.  Since  the 
encryption  schemes  in  GSM  (2G)  and  UMTS  (3G)  only  encrypt  calls  between  the  mobile  phone  and  the  base  station,  an 
attacker  positioned  any-where  in  the  network  between  the  two  base  stations  can  usually  intercept  calls  without  great 
difficulty.  Furthermore,  since  GSM  base  stations  are  not  authenticated,  an  attacker  can  pose  as  a  base  station  and  intercept 
phone  calls  in  the  vicinity.  Due  to  backwards  compatibility  and  UMTS  coverage  issues,  most  UMTS  devices  allow 
network  fallback  to  GSM,  opening  up  UMTS  devices  to  the  same  man-in-  the-middle  attacks  that  afflict  GSM  networks. 

Identity-based  cryptography  (IBC)  promises  to  offer  an  approach  to  end-to-end  encryption  for  mobile  telephone 
calls  in  which  the  telephone  numbers  of  the  call  participants  are  used  as  the  public  keys  to  secure  the  communication 
channel,  thus  making  the  cryptographic  security  procedure  as  easy  as  making  a  telephone  call.  The  use  of  telephone 
numbers  as  public  keys  has  two  major  benefits.  Firstly,  since  the  caller  knows  the  number  to  be  called,  the  caller  also 
automatically  knows  the  public  key  and  does  not  need  a  separate  public  key  look-up  or  certification  infrastructure. 
Secondly,  telephone  numbers  are  easy  to  understand  and  users  are  confident  in  using  them,  such  that  there  is  no  need  to 
educate  users  to  understand  the  link  between  a  telephone  number,  a  public  key  and/or  its  certificate,  thus  significantly 
lowering  the  complexity  threshold  of  phone  call  encryption. 

Several  solutions  have  been  proposed  which  allow  multiple  identity  private  key  generator  (ID-PKGs)  to 
intemperate  [1—3],  but  these  systems  require  either  co-operation  between  the  ID-PKGs  or  a  hierarchical  approach  with  a 
trusted  party  at  the  top.  Both  of  these  approaches  are  difficult  to  use  in  the  area  of  mobile  telephony  due  to  organizational 
difficulties  and  conflicting  business  interests.  As  demonstrated  by  approaches  based  on  a  Certificate  Authority  (CA),  there 
will  always  be  competing  organizations  offering  the  same  service  for  the  same  protocol  (e.g.  signing  RSA  public  keys) 

www.tiprc.org  editor@tjprc.org 


ABSTRACT 


134 


Rushikesh  Madhukar  Bage  &  Gaurav  Digambar  Doiphode 


without  wanting  to  cooperate  on  the  corporate  level.  Thus,  to  successfully  deploy  IBC  in  mobile  telephony,  the  IBC  system 
must  be  able  to  cope  with  the  real  world  network  issues,  such  as  allow  competing  organizations  to  operate  their  ID-PKG 
independently  of  other  ID-PKGs,  roaming  and  changing  providers  while  still  enabling  cross-domain  execution  of  the  IBC 
protocols  for  their  customers. 

In  this  paper,  a  new  multi-domain  identity-based  key  agreement  system  is  introduced  which  focuses  on  the  issues 
to  be  solved  when  implementing  IBC  for  mobile  telephony.  The  proposed  approach  is  realized  using  standard  telephone 
numbers  as  public  keys  with  multiple  security  domains  (i.e.  mobile  telephony  providers).  It  utilizes  the  mathematics  also 
used  in  the  traditional  Diffie-Hellman  key  agreement  and  Rivest-Shamir-Adleman  (RSA)  public  key  cryptography 
approaches.  Solutions  to  the  problems  of  multi-domain  key  generation,  key  distribution,  multi-domain  public  parameter 
distribution  and  inter-domain  key  agreement  are  presented. 

2.  PROBLEM  STATEMENT 

In  GSM  networks,  communication  between  a  mobile  system  (MS)  (i.e.  a  mobile  phone)  and  a  base  transceiver 
station  (BTS)  is  encrypted  using  the  A5  cryptographic  protocol.  Due  to  design  flaws,  A5  is  vulnerable  to  crypto  analysis 
such  that  hackers  can  eavesdrop  on  the  communication.  Updates  to  the  A5  protocol  have  been  proposed  to  hinder  further 
attacks,  and  the  UMTS  standard  has  replaced  A5  by  a  more  secure  (and  open)  protocol,  making  cryptographic  attacks  less 
of  a  concern. 


A  simpler  attack  is  to  subvert  the  communication  setup  before  encryption.  To  allow  a  MS  to  authenticate  itself  to 
the  network  provider,  it  gets  a  subscriber  au-  thentication  key  (SAK).  The  SAK  is  stored  both  on  the  SIM  card  of  the  MS 
and  in  the  Home  Location  Register  (HLR)  of  the  provider.  The  BTS  are  connected  to  a  Base  Station  Controller  (BSC)  that 
in  turn  is  connected  to  a  Mobile  Switching  Center  (MSC)  and  a  Visitor  Location  Register  (VLR).  These  in  turn  are 
connected  to  the  HLR  and  the  Authentication  Center  (AuC)  that  give  access  to  the  SAK  of  the  MS.  During  the 
authentication  process,  a  128-bit  random  number  is  generated  which  using  the  A3  [7]  is  combined  with  the  SAK  to  create  a 
32-bit  authentication  key  called  SRES.  The  SRES  key  is  then  sent  to  the  BTS.  The  SRES  key  is  then  compared  to  the 
SRES*  key  that  is  computed  by  the  AuC  of  the  provider  also  using  the  A3  algorithm  and  the  HLR  SAK.  If  the  two  values 
match,  the  MS  is  authenticated  and  may  join  the  network.  The  BTS  does  not  authenticate  itself  to  the  MS.  This  opens  up 
the  possibility  of  a  Man-in-the-Middle  (MITMA)  attack.  Using  an  IMSI  catcher  [8],  an  attacker  can  pose  as  a  BTS  and 
intercept  calls  in  the  vicinity  by  broadcasting  a  strong  base  station  signal.  Figure  1  shows  the  procedure.  MS  are 
programmed  to  connect  to  the  strongest  BTS  signal,  thus  if  the  IMSI  catcher  has  the  strongest  signal  they  serve  their 
current  BTS  connection  (1)  and  will  connect  to  the  IMSI  catcher  (2)  no  questions  asked  (3).  Since  the  BTS  is  also 
responsible  for  selecting  the  security  mechanism,  the  IMSI  catcher  can  then  force  the  MS  to  turn  off  or  select  an  insecure 
encryption  algorithm  (4)  and  thus  allow  the  MITMA  to  operate. 
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Figure  1:  IMSI  Catcher  Attack 
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The  downside  to  this  attack  is  that  the  IMSI  catcher  cannot  function  as  a  real  BTS  since  it  is  not  connected  to  the 
main  phone  network  and  must  forward  calls  using  its  own  MS  and  SIM  (5).  However,  since  the  SIM  in  the  IMSI  catcher 
cannot  register  itself  as  the  target  SIM  (due  to  the  authentication  of  the  MS),  the  attacked  MS  is  not  registered  at  any  BTS 
and  is  not  reachable  while  it  is  connected  to  the  IMSI  catcher.  Thus,  only  outgoing  calls  can  be  intercepted,  since  the 
network  cannot  reach  the  attacked  MS.  Furthermore,  the  IMSI  catcher  is  not  a  targeted  attack.  It  affects  all  MS  in  its 
vicinity  all  of  which  are  not  reachable  while  they  are  connected  to  the  IMSI  catcher  and  whose  calls  would  need  to  be 
forwarded  if  the  IMSI  catcher  is  not  to  become  noticeable.  While  this  attack  should  not  be  taken  lightly,  there  are  some  real 
world  problems  in  its  execution. 

A  much  simpler  attack  is  enabled  by  cost  saving  measures  in  common  practice  when  setting  up  base  stations. 
Since  connecting  all  BTS  to  a  secured  wired  network  is  costly,  BTS  can  also  be  connected  to  the  main  network  via  a 
directed  microwave  link.  This  microwave  signal  is  sent  without  encryption  and  can  easily  be  intercepted,  giving  an  attacker 
clear  text  access  to  all  calls  going  via  this  link  without  leaving  a  physical  trace.  But  even  a  wired  connection  is  not  safe  if 
an  attacker  is  willing  to  apply  a  physical  tap  to  the  line.  These  link  taps  are  particularly  relevant  since  they  can  be  used 
without  affecting  the  rest  of  the  network  and  thus  cannot  be  easily  detected.  They  also  allow  a  large  number  of  calls  to  be 
tapped  simultaneously.  For  instance,  a  BTS  located  near  a  firm,  government  building  or  celebrity  house  can  be  tapped, 
thus,  making  all  mobile  calls  made  to  and  from  that  location  available  to  the  attacker.  Since  the  equipment  needed  to 
execute  such  a  tap  is  be-  coming  more  portable  and  cheaper  at  a  rapid  rate,  this  kind  of  attack  will  rapidly  gain  in 
relevance. 

To  prevent  the  above  attacks,  end-to-end  protection  of  phone  calls  is  required.  However,  the  solution  must  be  able 
to  be  deployed  in  a  multi-organization  environment  and  be  usable  by  non-tech  savvy  users.  As  stated  in  the  introduction, 
conventional  PKI  based  solutions  are  too  complex  both  for  the  network  providers  and  for  the  users.  A  simple  approach  is 
required  which  can  be  implemented  by  net-  work  providers  independently  of  each  other  and  which  does  not  introduce 
added  complexity  for  end  users.  In  the  next  section,  an  algorithm  will  be  presented  that  fulfills  these  requirements. 
The  algorithm  allows  two  MS  to  perform  a  session  key-  agreement  over  an  unsecured  channel  and  between  different 
providers  using  telephone  numbers  as  public  keys.  Using  the  created  session  key,  a  symmetric  encryption  of  all  call  data 
can  be  performed.  The  algorithm  prevents  MITMA  attacks  and  offers  perfect  forward  security. 

3.  ALGORITHMS 

3.1  Algorithmic  Overview 

The  identity-based  key  agreement  protocol  SSF  (Secure  Session  Framework)  consists  of  four  main  algorithms: 
Setup,  Extract,  Build  SIK,  and  Compute. 

3.2  Key  Agreement 

The  Setup  algorithm  (Figure  2)  is  executed  by  the  ID-PKG.  This  part  of  the  key  agreement  protocol  is  only 
performed  once  and  creates  both  the  master  secrets  P  and  Q  as  well  as  the  public  parameters. 
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Setup  -  Hie  Setup  aUontlim  is  executed  by  (lie  TT>- 

PKG. 

Input:  k  "  N 

Step  1  Choose  an  aibih  ay  nitesoi  E.  ■  1  fiomZ+ 

Step  1  Generate  two  jinnies,  P  and  Q.  of  bit  length 
k  with  the  following  properties: 

1 .  Hie  prime  factorization  of  [P  -  1)  contain*  a  lai  s  t 
piime  P 

2  Hie  ])jime  factorization  of  (Q  -  1)  contains  a 
lnr«e  prime  Q 

3.  ged  VI.  where  if  is  the  Tolicnt Function 
Step  i.  Compute  Hie  precinct  N  =  PQ 

■Step  4;  Choose  a  seneiator  G  of  a  jubfroup  G  of  ZN 
v4los*  onlei  contains  at  least  one  of 

tire  primes  P  or  Q  such  that  the  C'oujiutahonal  14  ffie 
Hcllumii  Asnuiylioii  (CD HA)  [0] 

holds  in  G 

Step  !:  Choose  a  ciyptogrnnLiic  collision-resistant 
hash  function  H:  {0. 1}"  ?  ZN  . 

'  l;fp-it  PSP  =  (N,  O.  JL.  HQ),  SP  =  {P,  Q } 


Figure  2:  Setup  Algorithm 

Public,  Shared  Parameters.  The  public,  shared  parameters  (PSP)  of  a  domain  D  of  the  key  agreement  protocol  SSF 
is  the  quadruple  PSP  =  (N,  G,  R,  H(- )). 

The  Extract  algorithm  (Figure  3)  creates  the  identity  key  (i.e.  the  private  key)  for  a  given  identity.  This  algorithm 
is  executed  by  the  ID-PKG.  If  all  IDs  are  known  and  the  range  is  not  too  big  (e.g.  a  Class  B  or  C  subnet  of  the  Internet), 
it  is  possible  to  execute  this  step  for  all  IDs  offline,  and  the  master  secrets  can  then  be  destroyed,  if  required. 


Extract  -  The  Extract  algorithm  is  executed  by  the 
ID-PKG. 

Input:  PSP,  SP,  ID 

Let  II)  be  a  given  identity.  Hie  algoritlnn  computes 
dR)  =  H(R))l/R 

dR)  is  called  the  identity  key  and  is  given  to  the 
entity  ER) . 

Ouput:  dK>  


Figure  3:  Extract  Algorithm 

The  Build  SIK  algorithm  (Figure  4)  is  executed  by  the  devices  taking  part  in  the  key  agreement. 

The  random  integer  rID  is  generated  with  a  secure  number  generator  to  make  rID  unpredictable.  The  private 
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identity  key  is  used  in  combination  with  this  randomly  chosen  integer  and  the  generator  in  such  a  way  that  it  is  not  possible 
to  extract  the  identity  key  from  the  SIK.  This  is  due  to  the  fact  that  the  multiplications  are  performed  in  the  ring  ZN  and  the 
result  set  of  a  division  in  the  ring  ZN  is  so  large  that  the  extraction  of  the  identity  key  is  infeasible.  The  SIK  is  then  sent 
over  an  unsecured  channel  to  the  other  party  and  vice  versa.  The  SIK  must  be  greater  than  zero  to  prevent  a  trivial 
replacement  attack  where  an  attacker  replaces  the  SIKs  with  zero  which  in  turn  would  make  the  session  key  zero  as  well. 
Any  other  replacement  attacks  lead  to  invalid  session  keys.  The  final  step  of  the  key  agreement  process  is  the  computation 
of  the  session  key  using  the  Compute  algorithm  (Figure  5)  which  is  executed  by  the  devices  taking  part  in  the  key 
agreement.  By  applying  the  inverse  of  the  hash  value  of  the  opposite' s  identity,  the  involved  identity  key  is  canceled  out. 
Only  if  both  endpoint  addresses  match  their  identity  keys,  a  valid  session  key  is  created. 

Build  SIK  -  Hie  Build  SIK  algoritlmi  is  executed  by 
the  entity  EH) 

Input:  PSP.  dTD 

Step  1:  Choose  a  random  integer  lTD  fi  omZ+  . 

Step  2:  Compute  SKID  =  CMD  ■  dTD  (niodN). 

SIKH)  is  the  SIK  (session  initiation  key)  for  the 
identity  string  ID  that  belongs  to  entity  EID  . 

Output:  SIKID  

Figure  4:  Build  SIK  Algorithm 

Czaipue  -  The  Compute  ilfjefilha  is,  esecufed  when  tmo 

pirbe=.ire  jHrfafair.Eji  ley  iejeemenL 

Inputfar  EID1  :  HD1 .  P5P.  ilKIDI .  fIDl 

Inputfar  EUS  :  HD1 .  P3P.  5JKID1 .  lKS 

wiher.EIDl  jscoj^j  the  EBEa.cn  irididaiteyfooi  HD2. 

itakdafea 

{SUCI  ■  H{IEC  >- 1  >ID1  =  ((GrIDI  ■  fSDl  )R  ■  H£H2  >  1 
>ID1  =  GRrlDlrlDQ  =  S  mod  N 
■Mien  TTTf)  3B03.TBS  Ihe  session  4rti lis  iai  ley  ficen  EID1  , 
i  tciloikfeE. 

<snti  ■  hjdi  y  i  )rim = <(GfiDi  ■  diDi  >r  ■  hjdi  >  l 

)rIEO  =  QlrlDl  rIDl  =  S  mod  N 

Output  W%\  Ihe  .33ch!doji  serial  tey  for  EDI  znl  UD1 . 

Figure  5:  Compute  Algorithm 

The  key  distribution  system  proposed  by  Okamoto  [10]  extracts  its  identity  information  in  a  similar  manner  as  in 
our  scheme,  but  Figure  does  not  address  the  case  of  key  agreement  between  different  domains. 

3.3  Key  Agreement  between  Different  Domains 

The  ID-PKG  determines  the  public,  shared  parameters,  and  all  entities  that  receive  their  identity  key  for  their  IDs 
from  this  generator  can  establish  a  key  agreement  among  each  other.  In  practice,  it  is  very  unlikely  that  all  phones  will 
receive  their  identity  key  from  the  same  security  domain,  since  this  would  imply  the  existence  of  a  third  party  trusted  by  all 
with  a  secure  communication  link  to  all  devices.  Since  telephone  network  providers  are  in  charge  of  managing  the  MS 
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information  of  their  customers  autonomously,  it  is  desirable  that  they  also  manage  the  security  information  autonomously, 
meaning  that  they  must  be  allowed  to  operate  their  own  ID-PKG  without  having  to  cooperate  with  other  providers. 
The  management  infrastructure,  such  as  HLRs  and  AuC,  can  then  simply  be  extended  by  the  required  additional  data. 

We  now  show  how  cross-domain  key  agreement  can  be  achieved  such  that  only  the  public  parameters  must  be 
distributed  (which  will  be  discussed  in  section  4).  Each  device  only  needs  a  single  identity  key,  and  the  ID-PKGs  do  not 
need  to  agree  on  common  parameters  or  participate  in  any  form  of  hierarchy.  In  the  following,  we  assume  without  loss  of 
generality,  that  there  are  two  domains  Dl  and  D2. 

Their  public  parameters  are  (Nl,  Gl,  Rl,  HI  (•))  and  (N2,  G2,  R2,  H2  (•)),  respectively.  Every  parameter  can  be 
chosen  independently.  The  case  that  (R2,  cp  (Nl))  >  1  or  (Rl,  9  (N2))  >  1  is  not  critical,  since  no  Rth  roots  must  be 
computed  regarding  the  other  domain's  modulus.  The  two  moduli  Nl  and  N2  were  chosen  according  to  the  requirements 
stated  in  the  Setup  algorithm,  i.e.  the  computation  of  discrete  logarithms  is  infeasible  in  ZN1  and  ZN2,  respectively. 
Consequently,  an  algorithm  such  as  the  Pohlig  Hellman  algorithm  [11]  cannot  be  applied  and  Pollard's  P  -  1  factoring 
algorithm  [12]  will  not  be  a  threat.  Thus,  a  random  non-trivial  integer  has  a  large  order  in  ZN1  N2  with  an  overwhelming 
probability,  and  the  computation  of  discrete  logarithms  is  infeasible  in  ZN1  N2. 

In  the  following,  an  entity  EID1  from  Dl  wants  to  communicate  with  EID2  from  D2.  The  algorithm  for 
cross-domain  key  extension  is  shown  in  Figure  6 


Figure  6:  Cross-Domain  Key  Extension  Algorithm 

In  step  1  of  the  cross-domain  key  agreement  algorithm,  the  common  shared  public  parameters  are  the 
element-wise  product  of  both  sets  of  domain  parameters.  In  step  2,  entity  EID1  extends  its  identity  key  using  the 
Chinese-Remainder  Theorem.  In  step  3,  entity  EID1  extends  its  hash  identifier  also  using  the  Chinese-  Remainder 
Theorem.  The  procedure  for  entity  EID2  is  analog,  only  the  indices  change  from  1  to  2.  Key  agreement  is  then  performed 
using  the  extension  of  the  original  algorithm  shown  in  Figure  6. 

4.  IMPLEMENTATION  ISSUES 

Like  most  other  IBC  approaches,  our  system  also  uses  shared  public  parameters.  In  a  single  domain  scenario,  the 
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Cros-EteEiir.  Kev  Is  fer.aor.  (ftom  the  view  of  psfticipeii 
EID1) 

Es-erutes:  Query  iPSP.  Ei  fer.dHC  sr.dEuild  eSIK 
Ir.pur.PSPl.PSPl.dIDl 

Step  1:  CilculEfe  tie  common.  Ehiri.  pubic  perimetera 
PSP1.1=(N1  ■  N2.G1  (2.  Rl  K2.H2(  ft 

Step  1  tae  the  Crdi5eie-Remi.ir.oer  Theorem  to  o=fcut=te 
theirtiEgrdlDl: 

cTDl  =  dIDl  mod  Nl  er.d  HD1  =  1  mod  Nl 

Step  3:  tfee  the  Chujese-RemEmder  Theorem  to  cefcufete 
theii*e~rHl{IEfi: 

HI  {ID1  )  =  HI  (ID1  )R2  mod  HI  and  HI  (ID1  )  =  1  mod 
K1<U) 

Step  4:  Build  eSDC  vii  eSTJODl  =  (Gl  ■  Gl  )rIDl  <£□] 
mod  Nl  N2 

Cu-tput(U}eSIKIDl  .(-.e  cros-doasiiji  session,  i a  dsn'or. 
Iejl 
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distribution  of  the  public  parameters  is  not  a  problem.  However,  if  each  network  provider  runs  its  own  ID-PKG,  the 
number  of  public  parameters  and  the  binding  between  public  parameters  and  identity  keys  becomes  more  complex. 
As  stated  above,  this  distribution  problem  is  still  much  smaller  than  the  distribution  problem  for  traditional  public  keys 
where  each  entity  has  its  own  public  key  that  needs  to  be  distributed.  Of  course,  traditional  PKI  technology  can  be  used  to 
distribute  the  public  parameters,  but  a  more  suitable  solution  is  to  integrate  the  public  parameters  into  the  GSM/UMTS 
lookup  mechanism  and  carry  the  information  over  the  SS7  protocol. 

Since  there  already  is  lookup  functionality  to  locate  the  HLR  of  a  MS  and  the  current  location  of  the  MS,  a  flag 
can  be  attached  to  the  request  message,  stating  that  the  public  parameters  of  the  MS  should  be  sent  piggybacked  to  the 
response.  The  flag  is  used,  since  the  public  parameters  only  need  to  be  queried  for  the  very  first  call  to  a  MS  of  a  particular 
provider.  All  subsequent  calls  to  the  same  or  other  MS  of  the  same  provider  do  not  need  a  further  public  parameter  lookup. 
In  the  case  of  UMTS,  this  is  reasonably  secure  since  the  BTS  must  authenticate  itself  to  the  MS  and  thus  an  active  MITMA 
is  prevented  that  could  otherwise  tamper  with  the  public  parameters. 

The  passive  MITM  As  still  possible  with  UMTS  are  not  a  danger  to  the  transfer  of  the  public  parameters  since 
they  are  public  anyway.  In  the  case  of  GSM,  this  form  of  public  parameter  distribution  holds  the  risk  of  an  attacker  with  an 
IMSI  catcher  replacing  the  public  parameters  with  his  own  on  the  first  call  made  to  a  provider  by  a  MS.  However,  this 
attack  only  works  on  the  very  first  call  ever  placed  to  a  provider  and  will  be  detected  as  soon  as  the  MS  calls  someone  else 
at  the  same  provider  after  the  attack  due  to  a  public  parameter  mismatch.  To  summarize,  this  form  of  public  parameter 
distribution  is  not  a  problem  in  UMTS  networks  and  if  the  slight  security  risk  in  GSM  networks  is  unacceptable,  a 
traditional  CA  based  signing  approach  can  be  added  to  prevent  tampering  with  the  public  parameters. 

4.1  Key  Expiration 

Another  practical  issue  of  mobile  phone  call  encryption  is  the  fact  that  telephone  numbers  are  reused.  In  a  PKI  or 
CA  based  solution,  this  creates  several  problems,  since  the  central  PKI  must  be  updated  or  the  CA  must  be  contacted  to 
resign  public  keys  as  the  MS  swap  telephone  numbers.  Certificate  Revocation  Lists  can  be  used  to  accomplish  this, 
however  the  solutions  tend  to  become  quite  complex.  In  particular,  public  key  caching  mechanisms  can  lead  to  problems. 

In  the  presented  identity-based  solution,  natural  key  expiration  techniques  can  be  used  to  cope  with  telephone 
number  reuse.  Boneh  et  al.  showed  how  keys  can  be  given  a  lifetime,  which  allows  natural  expiration  of  the  identity  key. 
This  is  done  by  the  internal  concatenation  of  the  ID,  in  our  case  the  telephone  number,  with  a  date.  The  same  technique  can 
be  used  in  our  solution.  Thus,  when  a  customer  releases  a  telephone  number  and  it  is  reused,  the  next  customer  will  have  a 
different  identity  key  based  on  the  current  date.  Since  telephone  number  reuse  is  time-delayed  in  any  case,  this  time  frame 
can  be  used  as  the  key  lifetime  to  ensure  that  each  successive  owner  lies  in  a  new  lifetime  slot.  With  the  techniques 
introduced  in  this  paper,  a  frequent  automatic  in-band  key  distribution  can  be  safely  executed  and  thus  key  renewal  is  far 
less  of  a  problem.  Additionally,  key  expiration  also  reduces  the  risk  of  identity  key  theft,  since  the  attack  window  is 
restricted  to  a  small  time  interval. 

5.  EXPERIMENTAL  RESULTS 

In  this  section,  experimental  results  of  the  presented  identity-based  cryptographic  security  solution  for  mobile 
phone  key  agreement  are  presented.  The  experiments  for  the  key  agreement,  the  following  parameters  were  examined: 
the  modulus  -  with  N  =  512,  1024,  2048  and  4096  Bit,  the  random  exponent  -  with  rID  =  64,  128,  256  and  512  Bit  and  the 
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chosen  public  parameter  R  =  {3,  17,  513,  65537}.  The  numbers  chosen  for  R  were  selected  to  give  an  overview  of  the 
performance  of  the  algorithm  based  on  the  size  of  R.  R  can  be  chosen  arbitrarily  by  the  ID-PKG  according  to  the  setup 
algorithm  (Step  2.3).  Each  of  the  following  tables  contains  the  mean  time  for  the  key  agreement  operations  of  the  100  trial 
runs  computed  using  a  fixed  modulus  with  rID  and  R  in  the  rows  and  columns.  It  is  evident  from  the  tables  that  the  main 
contribution  to  the  computational  time  is  the  modulus  and  the  random  exponent. 

The  public  random  number  R  selected  by  the  provider  does  not  have  a  significant  effect  due  to  the  fact  that  the 
computational  time  of  the  algorithm  depends  on  the  number  of  1  s  in  the  binary  representation  of  the  number  and  the  used 
random  numbers  all  contain  two  bi-  nary  1  s.  The  random  number  R  is  not  security  critical  for  R  >  3.  While  the  time 
needed  for  key  agreement  using  a  4096-bit  modulus  and  a  512-bit  random  exponent  is  too  long  for  current  devices, 
key  agreement  with  a  2048-bit  modulus  and  128  or  256-bit  random  exponents  has  acceptable  run  times.  Once  a  session  key 
has  been  established,  a  symmetric  encryption  of  the  call  using  AES  256  is  executed.  The  encoding  block  was  set  to  4096 
Byte  which  contains  at  least  256  ms  (depending  on  the  compression)  of  audio  data. 

6.  RELATED  WORK 

Kumar  et  al.  present  an  IBC  based  approach  to  mutual  authentication  and  key  agreement  for  GSM  networks. 
Unlike  our  proposal,  Kumar  et  al.  use  the  IMSI  number  as  the  public  identity  key.  The  security  of  the  protocol  relies  on  a 
secure  channel  to  the  HLR  and  VLR  (Phase  1,  Steps  2  and  3).  Both  these  design  decision  have  drawbacks.  Firstly,  using 
the  IMSI  as  the  public  key  means  the  users  must  trust  the  infrastructure  to  show  them  the  correct  binding  between 
telephone  number  and  IMSI  number,  since  most  users  do  not  know  their  own  IMSI,  let  alone  the  IMSI  of  other  users. 
Secondly,  the  communication  channels  between  the  MS  and  the  HLR  and  VLR  are  not  considered  to  be  secure  and  must 
be  handled  by  the  presented  solution. 

There  are  other  approaches  such  as  the  Cryptophone  that  applies  the  Zfone  VoIP  security  mechanism  to  mobile 
phones.  ZFone  executes  a  standard  Diffie  Helmann  key  agreement  (which  is  vulnerable  to  an  active  MITMA),  but  then 
dis-  plays  a  hash  of  the  generated  session  key  to  both  users.  One  user  must  then  read  out  the  hash  to  the  other  user,  who  can 
then  see  if  the  key  agreement  was  com-  promised,  since  if  a  MITMA  attack  has  taken  place,  the  hash  values  are  different. 
While  preventing  simple  MITMAs,  the  ZFone  solution  is  somewhat  cumbersome,  since  users  must  read  out  hash  values  to 
each  other.  It  also  does  not  prevent  impersonation  attacks  or  voice  based  MITMA  attacks.  The  key  distribution  system 
proposed  by  Okamoto  extracts  its  identity  in-  formation  in  a  similar  manner  as  in  our  scheme,  but  does  not  address  the  case 
of  key  agreement  between  different  domains. 

7.  CONCLUSIONS 

In  this  paper,  an  identity-based  key  agreement  system  for  mobile  telephony  in  GSM  and  UMTS  networks  was 
presented.  All  attacks  presented  in  the  paper  can  be  successfully  prevented  by  the  identity-based  cryptographic  solution. 
The  use  of  telephone  numbers  as  public  keys  reduced  the  complexity  of  the  security  management  framework  and  well  as 
the  usage  complexity  for  phone  call  encryption. 

The  approach  offers  solutions  to  the  real  world  problems  in  realizing  an  identity-based  security  framework  for 
mobile  phone  call  encryption,  namely  multi-domain  key  generation,  key  distribution,  multi-domain  public  parameter 
distribution  and  inter-domain  key  agreement.  Experimental  results  showing  that 
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Current  smartphones  are  powerful  enough  to  run  the  presented  system.  Future  work  will  include  simulated  large 
scale  deployment  and  scalability  studies  to  quantitatively  evaluate  the  administrative  benefit  of  using  the  presented 
identity-based  approach  compared  to  a  traditional  PKI.  The  proof-of-concept  solution  will  also  be  ported  to  further 
platforms  beyond  Symbian.  Finally,  user-studies  will  be  performed  to  further  evaluate  the  benefits  to  the  non-tech  savvy 
end  user. 
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